BKBCopyD.exe in the Batch Management Packages in Yokogawa CENTUM CS 3000 through R3.09.50 and CENTUM VP through R4.03.00 and R5.x through R5.04.00, and Exaopc through R3.72.10, does not require authentication, which allows remote attackers to read arbitrary files via a RETR operation, write to arbitrary files via a STOR operation, or obtain sensitive database-location information via a PMODE operation

Vulnerable Systems:
* Yokogawa CENTUM CS 3000 through R3.09.50 and CENTUM VP through R4.03.00 and R5.x through R5.04.00, and Exaopc through R3.72.10

The Yokogawa Centum CS3000 solution uses different services in order to provide all its functionality. The BKBCopyD.exe service, started when running the FCS / Test Function , listens by default on TCP/20111. There is a lack of authentication which makes possible to abuse several operations provided by the service in order to:
Leak the CENTUM project database location.
Read arbitrary files.
Write arbitrary files.